This repository has been archived by the owner on Oct 22, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathJenkinsfile
102 lines (102 loc) · 4.24 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
pipeline{
agent none
environment {
REGISTRY = 'harbor.skni.edu.pl/'
DOCKER_REGISTRY_CREDENTIALS_ID = 'harbor'
IMAGE = 'harbor.skni.edu.pl/library/filmweeb-back'
RELEASE_NAME = 'filmweeb-back'
NAMESPACE = 'filmweeb'
}
stages{
stage('Sonar'){
agent{
label 'sonar'
}
environment {
ORGANIZATION = "SKNI-KOD"
PROJECT_NAME = "filmweeb-back"
SONAR_SERVER = "https://sonar.skni.edu.pl"
}
steps{
container('sonarqube') {
withCredentials([string(credentialsId: 'sonar', variable: 'TOKEN')]) {
sh """sonar-scanner -Dsonar.organization=$ORGANIZATION \
-Dsonar.projectKey=$PROJECT_NAME \
-Dsonar.host.url=$SONAR_SERVER \
-Dsonar.login=$TOKEN \
-Dsonar.sources=. \
-Dsonar.exclusions=**/helm/**/* \
-Dsonar.sourceEncoding=UTF-8 \
-Dsonar.language=php \
-Dsonar.php.file.suffixes=.php
"""
}
}
}
}
stage('Scan source') {
agent{
label 'trivy'
}
steps {
container('trivy'){
withCredentials([file(credentialsId: 'html.tpl', variable: 'TEMPLATE')]) {
sh "cp $TEMPLATE html.tpl"
}
// Scan all vuln levels
sh 'trivy filesystem --ignore-unfixed --vuln-type os,library --format template --template @./html.tpl -o report-app.html .'
// Scan again and fail on CRITICAL vulns
sh 'trivy filesystem --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL .'
archiveArtifacts 'report-app.html'
}
}
}
stage('Build'){
agent{
label 'kaniko'
}
steps{
container('kaniko'){
sh "/kaniko/executor --context=\$(pwd) --dockerfile=\$(pwd)/Dockerfile --cache=true --destination=$IMAGE:$BUILD_ID"
}
}
}
stage('Scan image') {
agent{
label 'trivy'
}
steps {
container('trivy'){
withCredentials([usernamePassword(credentialsId: 'harbor', passwordVariable: 'PASSWD', usernameVariable: 'USER')]) {
withCredentials([file(credentialsId: 'html.tpl', variable: 'TEMPLATE')]) {
sh "cp $TEMPLATE html.tpl"
}
// Scan all vuln levels
sh 'trivy image --format template --template @./html.tpl -o report-image.html --username $USER --password $PASSWD $IMAGE:$BUILD_ID'
// Scan again and fail on CRITICAL vulns
sh "trivy image --exit-code 1 --severity CRITICAL --username $USER --password $PASSWD $IMAGE:$BUILD_ID"
archiveArtifacts 'report-image.html'
}
}
}
}
stage('Deploy'){
agent {
label 'helm'
}
steps{
container(name: 'helm', shell: '/bin/sh') {
withCredentials([file(credentialsId: 'k8s-ca', variable: 'MY_CA'), string(credentialsId: 'k8s-token', variable: 'MY_TOKEN')]) {
sh """
kubectl config set-cluster mycluster --server=https://kubernetes.default --certificate-authority=${MY_CA}
kubectl config set-credentials jenkins-robot --token=${MY_TOKEN}
kubectl config set-context mycontext --cluster=mycluster --user=jenkins-robot
kubectl config use-context mycontext
helm upgrade --install --namespace $NAMESPACE --set image.tag=${BUILD_ID} $RELEASE_NAME ./helm
"""
}
}
}
}
}
}